Cybersecurity researchers have discovered a cybercrime campaign that's using malvertising tricks to direct victims to fraudulent sites to deliver a new information stealer called TamperedChef.

"The objective is to lure victims into downloading and installing a trojanized PDF editor, which includes an information-stealing malware dubbed TamperedChef," Truesec researchers Mattias Wåhlén, Nicklas Keijser, and Oscar Lejerbäck Wolf said in a report published Wednesday. "The malware is designed to harvest sensitive data, including credentials and web cookies."

At the heart of the campaign is the use of several bogus sites to promote an installer for a free PDF editor called AppSuite PDF Editor that, once installed and launched, displays to the user a prompt to agree to the software's terms of service and privacy policy.

In the background, however, the setup program makes covert requests to an external server to drop the PDF editor program, while also setting up persistence on the host by making Windows Registry changes to ensure that the downloaded executable is automatically started after a reboot. The registry key contains a --cm arguments parameter to pass instructions to the binary.